What is RETRI? 



RETRI is a new, agile approach to the Incident 
Response process, consisting of 4 phases with clear 
entry and exit criteria 

Using special network segmentation and isolation 
technologies, RETRI allows network operators to 
run a compromised network without risk to the data 
and minimal impact on its users. 
It saves you time and money 



Overview 



The first part of this presentation presents a new paradigm 
forthe Incident Response process called Rapid Enterprise 
Triaging (RETRI), where the primary objective is to isolate 
the infected network segment for analysis without 
disrupting its availability. 

Part two of this presentation will introduce a new Enterprise 
Incident Response tool named Codeword that complements 
the RETRI paradigm. The tool is a free, agent-based tool 
that is deployed to the compromised segment to perform 
the traditional incident response tasks (detect, diagnose, 
collect evidence, mitigate, prevent and report back). 



Assumptions 



Mid to large sized network (1,000+ users) 
Distributed, domain/forest type of network 
infrastructure (ie, "Government style") 
Full Enterprise Compromise 

■ This is a lot of work if only one or two machine are 
compromised 

Compelling evidence will be required by CEO's 

The compromised network segment contains 
critical servers/services that must remain 
online throughout response effort 
Forensics per se is not crucial for a successful 
recovery 



Current Recovery Options 



Network shut down and rebuilt from trusted 
media (1-4 months) 

■ Pros: 100% assurance, data exfil cut off ASAP 

■ Cons: people can't work 

Rebuild while online 

Pros: People keep working (for the most part) 

■ Cons: Data exfil continues, bad guys keep a 
foothold, potential recompromise 



A New Method is Required 



The RETRI method attempts to solve the 
shortcomings of each of the existing 
methods. 

■ RETRI Option: 

Pros: Data exfil stopped, high confidence in network 
hygiene, people keep working 

■ Cons: Costly - lots of work to setup (but still cheaper in 
the long run) 



Case Study 1 
(Rebuild while online) 



Survey Data for 2006 

On average hacked companies spent 4.7million on cleanup 

■ Cost based on lost revenue, cleanup, and brand damage 

■ $182 per record lost 

Survey Data for 2008 

Average cost rose to 6.6million (up to 32Million) 

$202 per record lost 
Lessons learned from the survey 

Employee down time cost 3 times as much as the actual clean up 

■ Even with rebuilding the network while online, there is significant downtime for 
employees 

■ If only there was a way to eliminate employee down time 

Record clean up was how cost was determined, not number of host / infected 
machines 

"First Time" Intrusions cost more 

■ 84% of 2008 Survey respondents had previous intrusions 

■ 2008 numbers would by much higher if they didn't have "practice" cleaning up 
intrusions 



Survey: http://www.encrvptionreports.com/download/Ponemon COB 2008 US 090201.pdf 



Case Study 2 
(Rebuilding Offline) 



Based on a 2007 incident we worked 

■ Approximate Total Cost: $7 Million 

■ IRTools / IT Support Overtime / User Downtime 

An extreme effort was made to minimize down time (24/7 shifts 
with extensive outside resources being brought in) 

■ Users were offline for 2.5-3 weeks 

User base: 1500 users 

■ User down time cost approximately s^^million 

1,500 user s* 15 days * 40 hours a day * $50 an hour (average) 

■ Numbers based on network rebuild, not lost sales or 
record clean up 

■ No Pll or User data stolen 

100% of network host were rebuilt 
■ $2.5 Million in IR tools and Labor 
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Case Study 3 

(RETRI: Estimated Cost) 



10,000 users /clients 

Projected Cost (-$2.9 Million) 
Best Case Scenario: 

■ Decision to implement made on Thursday evening 

■ RETRI Phase 3 finished by COB Monday 

■ Limited user down time (1 -2 business days) 
Start on Tuesday, response proceeds at a casual pace 
Cost breakdown 

~ $576,000 for Phase 3 Labor (Network /Server Admins) 
~ $1,000,000 in Software Licenses (list price, without discounts) 
~ $650,000 in New Hardware 
~ $288,000 in IR 

-$384,000 in Re-imaging Labor (deploying and desk side support) 
Keep in mind, this is a large network which is being 100% rebuilt 

■ On average it is 2-3 times cheaper than any other method 
So what is RETRI.. 



RETRI's Phased Approach 



Phase i: Preparation 

Weeks to months 
Phase 2: Damage Assessment 

24 hours or less 
Phase 3: Network Segmentation and Service Restoration 

3-6 days 
Phase 4: Investigation and Recovery 

Whatever is required (users are not affected) 



B/4/2009 

Damage Assessment Complete 

Begirt Segmentation 



8/6/2009 

Sege mentation Complete 




T 



Develop COOP 
Weeks or Months 



Rtt/2009 
Compromise Detection 




Investigation and Recovery 
(Whatever is Required) 

A. 




8/7/2009 

User Services Restored 
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Cyber COOP is required 



Traditional COOP 

■ Generally ensures you have backups at an offsite, but.... 

■ Real-time replicated backups shouldn't be trusted 

■ Identify highly critical services and business processes 
which require Internet connectivity to function 

Cyber COOP 

Create a backup plan and identify hardware and software 
for cyber attack recovery scenario 

■ Physical media (e.g., tape) backups 

■ Cloud computing provides no benefit 
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Resource Considerations 



People: 

Network Admins, Server and Desktop Support staff, 
Incident Response Specialists, IDS / IPS Analysts 

Switch and Router specialists 

Hardware 

Need servers to restore backups to 

Software 

Application Streaming Infrastructure (ASI) 

Citrix$350 peruser 
■ ThinWorx $199 per user (open to "renting" the software) 
Quest vWorkspace Enterprise $100 per user 

■ IR tools 
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Don't forget... 



Scripts / SMS packages 

Prep to install / remove apps 
Scripts to change default home page 

User Notifications 

What will you tell your users 

What are they allowed to say to outsiders 

Training packages 

Emails 

Posters 

WebCBTs 
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Architecture and Planning 



Virtualization technology enables rapid response and 
minimizes resource consumption 

Saves on number of physical servers necessary for RETRI network 
segmentation 

Known good VM images can be restored in moments from backups 

This architecture streamlines the use of response tools 

Many tools and applications can be loaded on VMs 

Distributed analysis among analyst teams with common data sets 

Leverage software inventory / deployment systems in place 

SMS, Patchlink, Hercules, etc 
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Know Your Network! 



Where do your assets live? 

What platforms exist? 

Network entry points 

Trust relationships 

u Dark segments" 

Are there any unique dependencies which will need 

to be addressed? 

Inventory / asset management 

■ How will you gauge coverage? 
If you can't count your assets... 
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Phase 2 - Damage Assessment 



Within 24 hours of compromise 

discovery.... 



Intrusion is detected 



Perform basic incident response to identify the 

attack vector 

Identify date of infection so backups can be restored 

from known good sources 

Identify Command and Control method 

Attempt to identify basic malware capabilities 

Submit samples to AV vendor for rapid signature creation 

Determine the scope of the infection / intrusion 
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Does RETRI Fit? 



This is a major decision before proceeding.. 

■ Are critical backups available for RETRI? 

Domain Controllers, Exchange servers, DNS, File servers, Print 
servers, Web servers 

Does the evidence support the decision to begin a network 
wide rebuild...? 

■ Rebuilds are very costly and time intensive 

■ RETRI affords you the time to do the rebuild without taking your 
users offline 

■ Some data may be lost 

...If not, use traditional methods! 
If so... Convince your Boss 
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Stop the bleeding 



Cut off network access 

■ Deny the hackers access to your network and the 
data you are charged with protecting 

■ Implement Firewall or IPS blocks for known backdoors 

Inform management and users 

■ Tell them what they can and can't say... 

■ Tell them when services will be restored 

Implement disaster recovery plan 

Prepare to go to 24/7 operations in all critical IT 
departments 
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Segmentation Fundamentals 



Virtual Routing and Forwarding (VRF) is a technology that allows 
multiple instances of a routing table to co-exist within the same router at 
the same time. 

Because the routing instances are independent, the same or overlapping IP 
addresses can be used without conflicting with each other. 

Packets get a VRF tag added to them so that routers can distinguish which 

network they operate on 
Multi-Protocol Label Switching (MPLS) is commonly used for Enterprise 
VRF deployments 

MPLS allows you to label packets so that the routers can pass packets very 
quickly based on its label (VRF). 
In Summary: 

Switch Ports get mapped to VLANs 

■ VLANs get mapped to VRFs 

VRFs get MPLS labels 

MPLS labels logically separate data as it traverse shared network hardware 



http://en.wikipedia.org/wiki/VRF 
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Creating the two networks 



The Quarantine Network (Qnet) 

Using VLAN/VRF technology, place your old network into 
a newVRF 

■ All packets get tagged for your new VRF and are restricted to the 
new zone based on routing / firewall rules 

No external connectivity 

The Clean Network (CleanNet) 

■ Create an empty VRF which mirrors the other network's IP 
space and layout 

■ The difference is the CleanNet has connectivity to the Internet 

■ Initially this network will be totally empty 



23 



Internet 
Connection 





Only port 443 allowed 
to ASI Cluster 



DHCP / DNS / SMS / AV 



What is the Qnet? 



All devices on the infected network must be 

placed in the Qnet 

The Qnet will require basic network 

infrastructure 

DHCP, DNS, Active Directory / Auth Services 

SMS, Software Deployment Services, Remote 
Imaging 

AV, Forensic /IRTools, Network Scanners 
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WhatistheCleanNet? 



A network that will become your new enterprise 

Email Servers, File Servers, Print Servers, Web servers, Domain 
Controllers, Authentication Systems, DNS, DHCP 

Printers can be in the CleanNet VLAN while physically remaining 
where they are 

■ Printers should be verified before being placed in CleanNet 

■ This way printers can be mapped from the ASI cluster 

A network that has standard internet connectivity 

Servers moved over or restored here take the IPs they used to have 

Firewall, IDS and IPS rules should not need to be modified as you 
restore services in the CleanNet 

ASI Cluster and App Server Farm 
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Gluing the networks together 



How do you provide access to the CleanNet from the Qnet 
without risking the security of the CleanNet and the data still 
residing in the Qnet? 

■ Very restrictive firewall rules 

■ Only Port 443 allowed to specific IPs in the CleanNet 

■ All communications with the CleanNet must be authenticated by some 2 
factor method (Smart Card, RSA, biometrics) 

■ All communications with the CleanNet must be encrypted 

Qnet DNS 

Option 1: All DNS points to the ASI cluster so users always get to a login 
screen 

Option 2: (recommended) 

ASI.company.com points to the ASI 

■ Becomes default homepage in browser 

All other entries (* .com, *.net, etc) point to a tarpit / IDS for analysis 



TheASI Cluster 



What is available 

■ Email 

■ Office Apps 
Web(IE/FireFox) 

■ Other critical applications which your users/organization 
rely on 

What isn't 

Multimedia intensive applications 
Streaming Video 

Locally installed user applications which require direct access to the 
internet 

Anything that requires access to the internet must be installed on the 
cluster or it won't work 
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Securing the Cluster 



No Copy/Paste between Qnet 
No Device mapping 
Only 2 factor sessions, encrypted 
Applications locked down 

Consider disabling Javascript on browsers (or use 
noscript) and office products 

DEP enforced on all running process 
User permissions extremely limited 

ASI Clients become "Dumb-Terminals" 
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Moving The File Server... 



Before moving it to the CleanNet 

What do you do with a multi-terabyte file server? 

Scan with multiple AV solutions 
■ Scan with IR tool for known bad hashes 

After the Move 

OntheASI 

Enforce MOICE (Microsoft Office Isolated Conversion 
Environment ) on all Office files 

Disable JavaScript in Adobe Acrobat 

No untrusted executables 
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Neutralizing file format threats 



WhatisMOICE 

Converts 2003 and previous Office files (binary formats) to xml 

Conversion is done in a sandbox of sorts 

Exploits in files cause a safe crash in conversion without exploiting 
user 

WhatisDEP 

Data Execution Prevention (DEP) is a set of hardware and software 
technologies that perform additional checks on memory to help prevent 
malicious code from running on a system, (microsoft.com) 

Software protected by DEP is much harder to exploit 

PDFViewer 

How many of you use Adobe Acrobat on your network? 

Adobe Acrobat == Massive Vulnerability / Backdoor 
■ Ditch it and get Foxit, etc 
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Restoring User Services 



Enforce 2 factor and reset any accounts which are 

not 2 factor 

Install ASI client on all Qnet host 

■ Make ASI the default home page on all client machines 

Remove / hide all office applications (in Qnet) with 
SMS 

Train users 

■ Email 
Handouts, Posters 
hands/virtual training 

■ memos, TPS reports, etc 
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What's next? 



After restoring operations, the focus shifts to cleanup, 

recovery, and attribution 

Verify initial assumptions and analysis 

Deeper Malware analysis of collected samples 

Submit samples to AV vendors 
Network data analysis 
Verify attack vector (root cause) 
What data was taken - regulatory implications (HIPAA, 
SOX, etc) 
"Deep dive" 
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Introducing Codeword: A tool for rapid detection, recovery, mitigation and 
cleanup 

Phase 4 - Investigation and 
Recovery 



Tools of the trade 



Commercial forensics tools: 

Enterprise versions are very costly 

Complicated 

Steep learning curve 

Require expensive full-time resources 

Heavily forensics-focused, not recovery-focused 

Mostly bulky, slow and painfully "thorough" 
Other enterprise "security tools" (e.g., Scanners, AV, HIPS): 

Poorly configured, not watched 

Not widely or consistently deployed 

Require problematic integration with infrastructure 
Free/Open source tools: 

Mixed capabilities 

Enterprise design not in mind 
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Bottom line 



You need the 10-day solution, 
not the 90-day solution 



Critical data is easy to get 



There is a limited set of critical data that an analyst 
must be able to quickly search and retrieve to identify a 
majority of common infections: 

■ Disk indicators: file name, size, hash, PE characteristics 

■ Memory indicators: process name, loaded modules, command 
line arguments, strings in heap 

■ Registry indicators: GUIDs and other static values 

Codeword's main purpose is to quickly expose this 
information in a meaningful way, so that an analyst can 
come to a reasonable conclusion about an enterprise- 
wide, active infection in minutes to hours 
Of course, it also has more advanced features ;-) 
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Codeword inspiration 



Frustration with commercial forensics tools 

Bugs 

Time wasted on service calls 

Licensing headaches 

Inconsistent results (v5-5a != V6.5.1 ??) 

Over-engineered, misses the simple use cases 

Core capabilities aren't customizable 

Lacking robust rootkit detection 

Fruitless search for a comprehensive open-source 

alternative 

The agile, responsive attitude of Codeword fits perfectly 

with RETRI 
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Codeword goals 



Imagine combining these enterprise tools into one 
simple, easy-to-use tool: 

■ Vulnerability & AV scanners - Codeword uses signatures to 
detect and scan host locally 

Enterprise forensic tool - Codeword uses forensic 
techniques to collect malware evidence in an agent-based 
framework 

■ Rootkit detection -think GMER or Ice Sword 
Extensible -define what you consider to be malicious 
Free... 
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Current Capabilities 



Detection -Uses registry, file and memory '"signatures" to 

detect malware and misconfigurations and heuristics to 

identify anomalous behavior 

Evidence collection - collects any malicious files discovered 

Reporting - Results are collected, compressed/encrypted 

and uploaded to a secure location in the Qnet (Sftp, http, 

smtp, or network share) 

Mitigation - disable devices, uninstall apps, change system 

policies, etc 

Cleanup -kill processes/threads, delete/rename files, 

delete/clear registry entries, restore boot sector 

Remote Analysis- connect to agent from admin interface 
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Major Features 



Write your own signatures to find malware 

Simple signature logic - use file names, sizes, hashes, etc 
Tweak advanced heuristics for better detection 

User mode, kernel mode, and low-level heuristics 
Isolate, clean and prevent future reoccurrence of infections 
Thorough detection -Codeword searches the computer's registry, hard 
drives and removable media, and live system memory for evidence of 
infection 

Receive usable alerts and data - collect all relevant evidence, along with 
meaningful log files and summary reports, and ships those back to you 
over a reporting method of your choice. 
Real-time, remote analysis - connect to agents over encrypted tunnel 
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Benefits and other uses 



Can be used on a regular basis as part of a network 

security best practice 

Use as a triage tool (e.g., in support of RETRI) 

Aggregate information on all system infections by 

site name and location 

Help find original infection point: All malware and 

system information, including pinpointing USB 

devices, is reported back 
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With that said... 



Codeword is not a "Forensically-sound" tool 

It will not solve all of your problems 

You should use Codeword as part of an 

overarching response process, notasThe 

Easy Button 

Codeword is beta freeware - don't complain 

when it crashes 

Comes with no warranties or hypno-toads 
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Components 



Codeword has 3 primary components: 

■ Admin Console (C#): A graphical interface used to 
generate new agents and connect to existing deployed 
agents; wraps agent binary in an MSI installer file for 
deployment 

■ Agent (C#): A single binary contained inside the 
generated MSI; a host-level scanner to detect viruses, 
clean related files and footprints, and to implement 
remediation actions to prevent further infection 

■ Kernel-mode driver (C): A single SYS file that contains 
rootkit detection logic and other evidence-collecting code 
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Quick start: using Codeword 



1. Create an agent 

■ Define signatures specific to malware 
Choose user mode and kernel mode heuristics 

■ Generate agent MSI installer 

■ Deploy using psexec, sms, altiris, etc. 

2. Connect/scan/analyze 

■ Fire-and-forget mode: agent automatically sends an 
encrypted zip archive with results/evidence 

Enterprise/Remote Control: use Admin Console 

3. Collect/Mitigate 
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Admin Console 



"I Codeword Admin Console 
File Settings Signatures 



S t&H \ 



Help 



Create New Agent | Connect to Existing Agent | Enterprise Full | 

I Startup Connection | Persistence/Stealth | Mitigation | Collection | Reporting | Information | Advanced | 




-Sartup Mode- 



The agent will unpack, run the scan, report back, and remove itself. 

Remote control mode 

The agent will unpack and open a listening port for commands. 

Enterprise mode 

The agent will unpack, run the scan and open a listening port for cor 



- Self -protection ■ 



j are reported .. you can 



deploy a second agent vrith a different startup mode. 



Scan Local Host 



i In HI R D 




Startup modes 



Sartup 

Once the agent has unpacked, what would you like it to do? 



Fire-and-Forget mode 

The agent will unpack, run the scan, report back, and remove itself. 



Remote control mode 

The agent will unpack and open a listening port for commands. 

© Enterprise mode 

The agent will unpack, run the scan and open a listening port for commands. 
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Connection 



Startup L^HH^.'.^J Pereistence/Stealth Mitigation Collection | Reporting | Information | Advanced | 



Agent service 1 



Listening port: 



AiMherrtic^ion 



Use random port number 



Agent's private/public key pair in PFX/PKCS #12 format: 



Keystone file: 
Password: 



| Force strong authentication (AES-256 only)* 
Q .Authenticate server to client 
H .Authenticate client to server 

Enforce certificate issuer: 



"Note: AES-256 is only supported after WinXP SP3 
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Persistence/Stealth 



Startup Connection ; Persistence /Stealth Mitigation Collection Reporting Information Advanced | 



Persistence ■ 

How long should the agent remain on the system? 



© Install as a service 

The agent will remain on the system until an administrator removes i 



service name: 



^Installs to system folder 



Run once 



The agent will destroy itself after completing the given tasks. 



Stealth 

How should the agent kee 



Randomize the name of the agent s process 

Hide the agent s process 

Do not attempt to install .NET 

Load driver using system load and call image 

Load driver using ZwLoadDriverO 
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Reporting 



Startup | Connection Pensistence/SteafthI Mitigation Collection [.^P°^9 j Information .Advanced | 



Send results to: Q Enable automated reporting 



Network share: ^^| 


^^^^^^^^^^^^^^^^^^^^^^^^^m 


^^^^^^^^^^* 



FTP Server: ftp:// 



example: \\CorpShare\ScanRegultsS 



.Address: 



^MTP Server: 



Web senrer URI: httpfc):, 



Confidentiality and Integrity: 



1 P°rt: 




^^^^^^^^^^^^^■^^^m 


| port: 


seTLS/SSL port: | 



Authentication: 



Application: User name: 



Password: 



Transport: 



Public Key Server): 



Archive password: 
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Defining signatures 



i-I Codeword Admin Console 
File Settings Signatures Help 



Create New .Agent Connect to Existing ^ent Enterprise Pull 




P^jfl Signatures 



Registry Guid 
Registry 



@ Dynamic GUIDs 

[REQUIRED] What do you want to do with this item if it is found? 



Terminate process if exists 



Keywords: 



1 



Memory 
■■& Heuristics 



Process Name 




Selecting Heuristics 



B Codeword Admin Console 

File Settings- Signatures Hdp 
Create New fart 0onn«*to5«frifl faent |&terriwPui| 



• Agent Sellings 
o */ Signatures 

& Heuristics 

— * Process/Thread 

— *- Module 

-* BHO/Toolbar 

■* Registry 
-* KflmaVNtdll 
-*■ GDI3Z Subsystem 
— * Drivers 

* Call Gates 
!-* NDlS/TDl 



'— * Boot sector 



ProceM/Thnisd 


r^nr^ffn 


|H*flili*l 


raw! 


GD025t*«y*t*m | Drtrtre | NDlS/TDI | BIOS | BwtS*ctw| 














Hmm 


*PJ9^ 
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Generate it! 



^ Codeword Adtnin Console 

File Settings Signatures Help 
Create New Agent Connect to Existing .Age nt | Enterprise Pull | 
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Step 2: Connect/Scan/Analyze 

Enterprise and Remote Control Modes 



Connecting to an agent 



i. Specify admin c onsole keys 



/if 




Set Admin Console Credentials 



Public/Private keypairfile (PKCS-12/PFX): 



C:\TestPFX.pfx 



P FX file password: 



Ignore remote certificate emors: 

F7l RemoteCertificate Name Mismatch 
W\ RemoteCertificateChain Emors 



Save 



Browse., 



2. Click connect! 







192.168.85.129 


41014 


1 Connect 
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..we are connected 



la Codeword Admin Console 
File Settings Signatures Help 



r^inTE&i 



Create New Agent | . Connect to Basting Agent - | Enterprise Pull 



192.168.85.129 



41014 
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Recent Agents System Info Registry | Rle | Memory | User Mode Anomalies | Kemel Mode Anomalies | Mode-Independent Anomalies | Low-level Anomalies 



Command History 






1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 

HOST INFORMATION 

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 

Machine Name: TESTER-XPSP2 

UserDomainName: WORKGROUP 

IPAddresses: 192.16S.S5.123 I'AMD PC NET Family PCI Ethernet Adapter - Packet Scheduler Miniport) 

UserName: SYSTEM 

OS Version Short: Microsoft Windows NT 5. 1.2600 Service Pack 2 

OS Version Long: Windows XP 

AgentCurrent Directory: C:\WINDOWS\system32 

Logical Drives: A\C:\.D:\ 

Num Processors: 1 

Working Set Size: 1SMB 

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 

AGENT INFORMATION 

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 

Agent version: CwAgent. Version =0.0.0.0, Culture =neutral. Public KeyToken=null 
Agent settings: 
Static RegGuid Value: 
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TheToolbar 
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Issue a scan 



Click the big green "PLAY" button 
Issues a command to the agent to begin 
scanning with whatever signature file it has 
Scan as many times as you like; change 
signatures by uploading new signatures file 
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Storm Worm Results: Registry 



" 1 Codeword Admin Console 
File Settings Signatures 



Help 



Create New Agent Connect to Basting Agent | Enterprise Pull | 







u^ts 



System Info | Registry | Rle | Memory | User Mode Anomalies | Kernel Mode Anomalies | Mode-Independent Anomalies | Low-level Anomalies 




Key Name 

□ X H KLM\S YSTEM\ContralSet001 \Enum\Root\LEGACY_WINCOM32 

□ X HKLM\S¥STEM\CbntrolSet001\Sefvices\wincom32 

□ X HKLM\SYSTEM\C6ntmlSetOD1\Services\wincom32 
El X HKLM\SYSTEM\ControlSet001\Sefvices\wincom32 
n X HKLM\SYSTEM\C6ntrolSetOD1\Services\wincom32 
O X HKLM\SYSTEM\CbntrolSet001\Sefvices\wincom32 

□ X H KLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WI NCO M32 
: X HKLM\SYSTEM\CurrentControlSet\Services\wincom32 

□ X HKLM\SYSTEM\CurrentControlSet\Sefvices\wincom32 
X H KLM \SYSTEM\CurrentControl Set\Services\wincom32 
X H KLM\SYSTEM\Oirrent Control Set\Services\wincom32 

□ X HKLM\SYSTEM\CurrentCorrtrolSet\Se™ces\wincom32 



Value Name 



New Value Data 



On Disk? Ad 



Next Instance 

Type 

Start 

ErTurContral 

Image Path 

DisplayName 

Nextlnstance 

Type 

Start 

ErTDrControl 

Image Path 

DisplayName 



False 
False 



2 

1 

\??\C: \WI N DO WS\system32\winco . . 

wincom32 

1 

1 

2 



\?7\C: \WI N DO WSNsystem 32\winco . . 
wincom32 



False 



False 



False 



False 



De 
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Storm Worm Results: File 



Codeword Admin Console 
File Settings Signatures 



r^ia e&i 



Help 



Create New .Agent Connect to Existing Agent \ Enterprise Pull | 



192.168.85.129 



41014 



fr£6:U40G9 



Recent Agents 




Command History 



System Info | Registry | File | Memory | User Mode Anomalies | Kernel Mode Anomalies | Mode-Independent Anomalies | Low-level Anomalies 




Name 

rHXbeere.ini 

I I Xwincom32.BVB 



Path 



C:\WI N DOWS\system32\peefs jni 

C :\W I N DOW S\system32\wincom32.3ys 



Size Hash 

"5453 4401 5E53toT^FWF5DD™ 

4172S A76A0CD2517A3S204CA5E93D0B2E4F3C 



PE Signature Created 



Accessed 



Wednesday. July OS. 2009 
Wednesday. July OS. 2009 



Wednesday. Jl 
Wednesday. Jl 



' 
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Step 3: Collect and Mitigate 

Enterprise and Remote Control Modes 



Collect 



I Codeword Adtnin Console 
File Settings Signatures Help 
Create New Agent Conned to Existing Agent | Enterprise Pull | 



SOlDljri 
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Mitigate 



I Codeword Admin Console 
File Settings Signatures Help 



rsirwir^i 
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Mitigate (2) 



Name 


Path 


Size 


Hash 


] if peera.ini 


C:\WI N DOW SNsystem 32\peera .ini 


54S3 


4401 5E530931 605FSA4F5D DG09E1 5B EB 


^ywincomUZ.sys 


C :\W I N DOW S\system 32\wincom 22.sys 


41728 


A7GADCD251 7A3&2D4C A5E53D0B2E4F3C 
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What's reported? 



A password-protected, encrypted (AES 256) 
Zip archive containing: 

■ Infection summary report 
Mitigation report 

■ All collected malware binaries and evidence 

■ A detailed run log 



67 



Demo #1: Storm Worm 



GOAL: 

■ Understand how to define registry, disk and 
memory signatures to detect user-mode malware 

SCENARIO: 

■ VM Guest infected with Storm worm 
OBJECTIVES: 

■ Deploy agent using Remote Control mode 
Examine malware footprints 



69 



Demo #2: TcplrpHook 



GOAL: 

■ Understand how Codeword heuristics help catch 
kernel malware (and anti-virus) 

SCENARIO: 

VM Guest infected with kernel-mode rootkit 
TcplrpHook 

OBJECTIVES: 

■ Deploy agent using Remote Control mode 
Scan with Driver IRP hook heuristic 
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Possible Limitations 



Software licensing costs can be prohibitive 

■ These costs are outweighed by user productivity 
u renting" the software may be a cost-effective solution 

Some challenges that plague traditional methods 
also impact RETRI: 

■ Disorganized networks, lack of funding, lack of mgmt- 
level support, lack of resources, etc. 

■ Assumptions made early on have cumulative impact later 
on: 

■ Availability of backups 

■ COOP readiness 

■ Date and scope of infection 
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Final Thoughts 



Preparation is key to ensuring services are 
restored quickly 

■ Know your network and critical services 

■ Ensure backups exist 

■ Have hardware / software ready 

Keeping services up significantly reduces the 
cost of recovery 

Remember: User downtime costs 3 times as 
much as the actual cleanup 
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Thanks for coming!! 



Email us 
MikeAMurphy@qmail.com 



AaronLemasters@vahoo.com 



Website: 
www.hexsec.com 



www.code-word.on 




Hexagon Security Group 

Security Without Imagination is a Vutneiabiiity 



